OpenSAML user discussion

["Scott Cantor" <>]

> The last line there, about ignoring the unknown element 
> {}Signature - is this expecting ds:Signature?

It shouldn't care what the prefix is.

I think there are two issues here...one is that the SignatureValidator
really out to throw on a null Signature (IMHO). The C++ one does, so we
should make it consistent either way. But I think if you expect something to
be signed and ask to validate it, it should be an error if it's not.

The other issue is the unmarshaller. It seems to be unmarshalling it all ok,
but the parent object seems to not know what to do with the Signature and
just throws it away, leading to the other problem.

> One of our signed assertions (Signature node) looks like this:

FWIW, that's a dangerous signature.

>   <Signature
>       xmlns="http://www.w3.org/2000/09/xmldsig#";>
>     <SignedInfo>
>       <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; />
>       <SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
>       <Reference URI="">

That means "the whole document". Assertions are rarely signed that way
because they can't be embedded. You should have a reference URI pointing to
the AssertionID.

-- Scott